Defending against CSRF attacks requires a multi-layered protection strategy. Here are several effective defense methods:
1. CSRF Token (Recommended)
How It Works
- Server generates random Token, stores in session
- Token added to form hidden field or request header
- Server verifies if Token in request matches session Token
Implementation Example
// Frontend <form action="/transfer" method="POST"> <input type="hidden" name="csrf_token" value="{{ csrf_token }}"> <input type="text" name="amount"> <button type="submit">Transfer</button> </form> // Or using AJAX fetch('/transfer', { method: 'POST', headers: { 'X-CSRF-Token': csrf_token, 'Content-Type': 'application/json' }, body: JSON.stringify({ amount: 100 }) });
Notes
- Token must be sufficiently random (at least 128 bits)
- Token should have expiration
- Each Token should be used only once (optional)
- Sensitive operations must verify Token
2. SameSite Cookie Attribute
How It Works
SameSite attribute controls Cookie sending behavior in cross-site requests.
Attribute Values
// Strict: Send Cookie only in same-site requests Set-Cookie: sessionid=abc123; SameSite=Strict // Lax: Allow certain cross-site requests (like navigation) Set-Cookie: sessionid=abc123; SameSite=Lax // None: Allow cross-site requests (requires Secure attribute) Set-Cookie: sessionid=abc123; SameSite=None; Secure
Recommended Configuration
- Use
SameSite=Strictfor sensitive operations - Use
SameSite=Laxfor general applications - Avoid
SameSite=Noneunless necessary
3. Verify Referer/Origin Headers
How It Works
Check if request source is legitimate.
Implementation Example
// Server-side validation const allowedOrigins = ['https://example.com', 'https://www.example.com']; function validateOrigin(req) { const origin = req.headers.origin || req.headers.referer; if (!origin) return false; const originUrl = new URL(origin); return allowedOrigins.includes(originUrl.origin); }
Notes
- Referer may be disabled or modified by browsers
- Origin only exists in cross-site requests
- Cannot be used as sole defense method
4. Double Submit Cookie
How It Works
- Token stored in both Cookie and request parameters
- Server verifies if both match
Implementation Example
// Set Cookie res.cookie('csrf_token', token, { httpOnly: true, sameSite: 'strict' }); // Include Token in form <input type="hidden" name="csrf_token" value="{{ csrf_token }}"> // Server verification if (req.cookies.csrf_token !== req.body.csrf_token) { throw new Error('CSRF token mismatch'); }
Notes
- Needs to be combined with other protection measures
- Not suitable for all scenarios
5. Custom Request Headers
How It Works
- Use custom Header (e.g.,
X-Requested-With) - Simple cross-site requests cannot add custom Headers
Implementation Example
fetch('/api/data', { headers: { 'X-Requested-With': 'XMLHttpRequest' } });
Notes
- Only applicable to AJAX requests
- Requires server to verify Header
6. CAPTCHA
How It Works
- Sensitive operations require user to enter CAPTCHA
- CAPTCHA requires active user input
Applicable Scenarios
- Large amount transfers
- Deleting important data
- Modifying critical settings
7. Re-authentication
How It Works
- Sensitive operations require re-entering password
- Confirms user intent
Implementation Example
// Before performing sensitive operation function performSensitiveAction(callback) { showPasswordPrompt((password) => { verifyPassword(password).then(valid => { if (valid) callback(); }); }); }
Comprehensive Defense Strategy
Best Practices
- Use CSRF Token: Primary defense method
- Set SameSite=Lax: Enhance protection
- Verify Origin/Referer: Additional verification
- Double confirmation for sensitive operations: Important operations
- Regularly update Tokens: Reduce risk
- Monitor abnormal requests: Detect issues early
Framework Support
- Spring Security: Automatically generates and validates CSRF Tokens
- Django: Built-in CSRF protection middleware
- Express: Use
csurfmiddleware - Laravel: Automatically adds CSRF Token
Summary
No single defense method can completely prevent CSRF attacks. It's recommended to use a multi-layered protection strategy, with CSRF Token as the primary method, combined with SameSite Cookie, Origin verification, and additional confirmation mechanisms for sensitive operations.